NERC CIP Industrial Cybersecurity Standards: What You Need to Know Before the Deadline
Industrial device and software vendors beware - new cybersecurity standards are coming into effect in just a few months with the regulatory enforcement capabilities required to impose heavy monetary fines on violators.
Embedded device vendors are already facing regulatory penalties for cybersecurity violations in several verticals. Notably in the US, the FDA and the FTC have used their regulatory power to fine or sue organizations responsible for cybersecurity violations, in the medical and consumer verticals, correspondingly.
As of now, three new North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards are coming into force effective October 2020. Previously it was reported by various sources that the effective date was July 2020, but that changed due to COVID-19. The standards, which address cybersecurity, supply chain handling and incident monitoring, primarily apply to Bulk Electric System (BES) companies. However, due to their focus on procurement, these standards are bound to also affect upstream vendors that sell devices or software to the electric companies.
And NERC has the regulatory authority to impose heavy fines, up to $1 million per day per violation, on non-compliant vendors. So what is NERC, what gives it its regulatory power, and what is mandated by the standards in question?
The North American Electric Reliability Corporation (NERC) is a non-profit organization responsible for the Bulk Electric System (BES) in Canada, US, and Mexico. BES generally means commercial power generation, distribution and interconnection with voltages over 100 kV. Originally a voluntary council for various reliability issues formed by electricity suppliers in the US, it has since evolved to have a wider geographic scope.
NERC also received official recognition from the US Federal Energy Regulatory Commission (FERC), which grants it the power to impose mandatory requirements and fine violators. It has been issuing cybersecurity standards as far back as 2007 and now maintains several standards in this field.
NERC also operates the Electricity Information Sharing and Analysis Center (E-ISAC), which disseminates cybersecurity alert bulletins that are relevant to the electric power generation industry.
The NERC cybersecurity standards
The three cybersecurity standards coming into effect in October 2020 are:
- CIP-013-1 - Cyber Security – Supply Chain Risk Management
- CIP-005-6 - Cyber Security – Electronic Security Perimeter(s)
- CIP-010-3 - Cyber Security – Configuration Change Management and Vulnerability Assessments
Another standard worth noting is CIP-008-6 - Cyber Security — Incident Reporting and Response Planning, coming into effect in January 2021.
Of the standards listed above, CIP-005-6 stands out as it has more technical security requirements, whereas the others dictate company policies and procedures.
It should be noted that the standards’ requirements differ by impact level, with BES systems assigned Low, Medium or High impact ratings according to a different NERC standard (CIP-002-5). As a result, most of the requirements discussed below do not apply to less complex power generation facilities.
CIP-013-1 - Cyber Security – Supply Chain Risk Management
The standard requires that a company document, implement and approve a plan for managing supply chain cybersecurity risk. All future procurement contracts with external vendors will be affected by this plan which must address the following processes:
- Security incident notification
- Coordinated incident response
- Disclosure of known vulnerabilities
- Verification of integrity and authenticity of all software and patches
- Coordination of controls for remote access controls including revocation
CIP 005-06 - Cyber Security – Electronic Security Perimeter(s)
The standard contains requirements that translate to technical steps including:
- Electronic Security Perimeters with defined entry points which can be roughly interpreted as installing firewalls and ensuring controlled access to all industrial embedded devices
- Authentication for remote access authentication, including multi-factor authentication on interactive sessions
- Monitoring remote access with the ability to disable active sessions
- Detecting malicious communication
- Encrypting communications with encryptions terminating at an intermediate system – this may be necessary because some industrial endpoint devices are not capable of high-quality communication encryption, or because encryption could interfere with the monitoring and detection requirements.
CIP-010-03 - Cyber Security – Configuration Change Management and Vulnerability Assessments
The standard focuses on configuration and asset management and the associated documentation.
- Develop a baseline configuration
- Authorize and document changes, and update the baseline configuration as necessary
- Determine the required cybersecurity controls for each change
- Test the change and document the results
- Monitor for configuration changes at least once every 35 days
- Conduct a “paper” or active vulnerability assessment at least once every 15 months
- Conduct an active vulnerability assessment at least once every 36 months (high impact level only)
- Perform a cybersecurity assessment prior to adding a new asset
NERC is authorized to impose fines on organizations that violate its standards, up to to $1,000,000 per day per organization. Sizable recent fines have ranged from $100,000 to $10,000,000 (a full list is available here). It’s important to note that the cost to the violator doesn’t end with the fine since the company still has to spend money on remediating the violations. The company may also have to notify relevant stakeholders, including its suppliers or buyers. In some cases, it may have its name published on the NERC website making it possible for violators to incur damage to reputation and business prospects.
Several companies already offer solutions and consulting services regarding compliance with NERC CIP standards. As we’ve mentioned before on this blog, when it comes to cybersecurity compliance and verification, automated tools can help vendors test a wide range of products in a very short time. They also can help companies compare different suppliers, and uncover weaknesses and vulnerabilities introduced by third-party libraries and components.
Due to the importance of these standards, VDOO is incorporating them into its automated firmware analysis solution. To learn more, please schedule a demo so you can speak with one of our device security experts.
Share this post